lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 17 Dec 2016 18:16:19 -0800 From: Mahesh Bandewar <mahesh@...dewar.net> To: netdev <netdev@...r.kernel.org>, Eric Dumazet <edumazet@...gle.com>, David Miller <davem@...emloft.net> Cc: Mahesh Bandewar <maheshb@...gle.com> Subject: [PATCH net] ipvlan: fix crash From: Mahesh Bandewar <maheshb@...gle.com> ------------[ cut here ]------------ kernel BUG at include/linux/skbuff.h:1737! Call Trace: [<ffffffff921fbbc2>] dev_forward_skb+0x92/0xd0 [<ffffffffc031ac65>] ipvlan_process_multicast+0x395/0x4c0 [ipvlan] [<ffffffffc031a9a7>] ? ipvlan_process_multicast+0xd7/0x4c0 [ipvlan] [<ffffffff91cdfea7>] ? process_one_work+0x147/0x660 [<ffffffff91cdff09>] process_one_work+0x1a9/0x660 [<ffffffff91cdfea7>] ? process_one_work+0x147/0x660 [<ffffffff91ce086d>] worker_thread+0x11d/0x360 [<ffffffff91ce0750>] ? rescuer_thread+0x350/0x350 [<ffffffff91ce960b>] kthread+0xdb/0xe0 [<ffffffff91c05c70>] ? _raw_spin_unlock_irq+0x30/0x50 [<ffffffff91ce9530>] ? flush_kthread_worker+0xc0/0xc0 [<ffffffff92348b7a>] ret_from_fork+0x9a/0xd0 [<ffffffff91ce9530>] ? flush_kthread_worker+0xc0/0xc0 Signed-off-by: Mahesh Bandewar <maheshb@...gle.com> --- drivers/net/ipvlan/ipvlan_core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c index b4e990743e1d..4294fc1f5564 100644 --- a/drivers/net/ipvlan/ipvlan_core.c +++ b/drivers/net/ipvlan/ipvlan_core.c @@ -660,6 +660,9 @@ rx_handler_result_t ipvlan_handle_frame(struct sk_buff **pskb) if (!port) return RX_HANDLER_PASS; + if (unlikely(!pskb_may_pull(skb, sizeof(struct ethhdr)))) + goto out; + switch (port->mode) { case IPVLAN_MODE_L2: return ipvlan_handle_mode_l2(pskb, port); @@ -672,6 +675,8 @@ rx_handler_result_t ipvlan_handle_frame(struct sk_buff **pskb) /* Should not reach here */ WARN_ONCE(true, "ipvlan_handle_frame() called for mode = [%hx]\n", port->mode); + +out: kfree_skb(skb); return RX_HANDLER_CONSUMED; } -- 2.8.0.rc3.226.g39d4020
Powered by blists - more mailing lists